Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Wednesday, 30 January 2008 06:06

Security is always a tradeoff: Schneier

Security is essentially a tradeoff and the main question about it is not whether we are safe or not but whether it is worth it. Simple and to the point. That's the way Bruce Schneier, probably the world's foremost security expert, puts it.

And that is the reason why Schneier enjoys the reputatio he does - because like the few true intellectuals around, he is a fount of wisdom, not just knowledge.

Schneier gave the keynote address on the opening day of the main part of Australia's national Linux conference today; his topic was "Reconceptualising Security", something on which he is eminently qualified to speak.

As usual, he came to the point: "Security is both a feeling and a reality. You can feel secure without actually being secure and you can be secure even though you don't feel secure."

And how does one bridge the gap between people both knowing they are secure and feeling the same way? Once again, it's very basic: information is the only way.

With this as the central tenet of his talk, Schneier set out to illustrate it and did so with simple examples.

He said that within the industry people tended to discount the feeling in favour of the reality but the difference between the two was important. It explained why there was much of what he called "security theatre" that did not work and why so many smart solutions were never implemented.

By security theatre he said he meant the various "snake oil" solutions that addressed feelings and were no good in reality.

Citing the example of the attacks on the World Trade Centre in September 2001, Schneier said that shortly after the incident he had been asked by a journalist how the US could ensure that such an event never recurred.

He said his answer was very short: "Take all the planes out of the sky."

There was a roar of laughter from the LCA audience at this but everyone settled down when Schneier reminded them that grounding all air traffic was exactly what the US government had done after the incident. It temporarily gave people the feeling of being safe - but obviously could not be persevered with.

Schneier said when it came to the economics of security, once again it was a tradeoff - how much were you spending? And was it worth the risk you were eliminating? "If you take the example of software, you may have to drop a feature set to provide more security - but then you have to weigh up the tradeoff again - do you need that feature set to sell your product to a particular person," he said.

He noted that nobody in the audience was wearing a bulletproof vest - even though that would been a good way of ensuring that they would arrive alive to attend his keynote. But traded off against the inconvenience of wearing such a heavy garment in summer and the lack of fashion sense it would convey, people had chosen not to wear one, he said to peals of laughter.

People tended to over-estimate uncommon risks and play down common ones; they also tended to over-estimate involuntary risk and overplay voluntary risks, Schneier said.

Most of the time this worked reasonably well. But the human brain was optimised to deal with security threats from an age long past and was not used to modern times and all the accompanying threats.

Schneier pointed out that when feeling and reality got out of whack, then fear would influence behaviour.

"If I sell you a lock that does not work, pretty soon you will notice. Until you do, you will have that feeling of security," he said.

While the basic tenets of security were simple, Schneier said that there were people with various agendas who would willingly create misunderstandings. For example, there was a lot of data showing that a national ID card would not be very effective but there were groups which had a stake in such a product who would spread misinformation.

"And the media often plays a role in spreading this kind of mass misinformation," he said.

Schneier touched on the so-called "lemons market" where the information available to the buyer and seller is asymmetric. He gave the example of a used car market where there were 1000 good cars and 1000 "lemons" or cars that were sure to give up the ghost after a short time.

If the good ones cost $2000 and the lemons $500 and the price which an average consumer was willing to pay was around $1500, then more lemons would be sold. However if the buyer was in possession of sufficient information to distinguish between the good cars and the lemons, then more of the former would be sold.

A seller could always increase the attraction of a car in either category by offering a six-month warranty - "he says take it, use it for this amount of time and if it breaks down bring it back."

When it came to IT, people tended to decide about security based on various factors - the reputation of a company (here he cited the old mantra "nobody ever got fired for buying IBM"), product reviews, certifications and so on.

"For some, the fact that a product is open source is a signal that it is good, for others it is a negative; it works the same way for proprietary products," Schneier said.

"Lots of our security is outsourced to people who have agendas and tend to manipulate things; as a result we often tend to end up more insecure though we don't actually feel that way."

To illustrate the importance of feeling, Schneier cited a case in the US where a certain over-the-counter medication had been tampered with and caused a case of poisoning.

"Within a few days, people were terrified of buying any non-prescription drugs," he said. "The company reacted to the crisis and introduced tamper-proof caps for their product and this restored people's feeling of security."

With a twinkle in his eye, he added, "even though there are numerous ways to get around that kind of cap, beginning with a syringe."

Information was the only way around the security problem, Schneier concluded as he ended his talk and earned the closest thing to a standing ovation.

Before the keynote, Jonathan Oxer, the president of Linux Australia, declared the conference formally open and acknowledged the traditional owners of the land on which the conference is being held.

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News